Thought Leadership
The US healthcare organization Kettering Health continues to struggle with the consequences of a massive cyberattack.
More than two weeks after the attack became known, the network of over 120 medical facilities, including nine major hospitals in Ohio, is still not fully functional.
Over 940 gigabytes of sensitive data stolen
On Wednesday, the hacker group “Interlock” claimed responsibility for the attack. The group published the first examples of an allegedly stolen data set totaling 941 gigabytes on its leak platform on the darknet. The leaked documents include financial reports, budget plans for 2023 and 2024, insurance documents, tax data and personal documents such as a driver’s license from Ohio and a Japanese passport.
The group also lists other files, including an 85 MB folder with bank reports, a 7.7 GB file with information on security personnel and almost 5 GB of suspected Medicaid applications. Information on the blood bank and pharmaceutical sector is also said to be included.
Supply impaired – clinics switch to paper forms
Since the incident on May 20, there has been a digital standstill in large parts of the hospital network. According to patients and staff, numerous medical procedures have had to be canceled or postponed. Doctors and nurses are resorting to paper documentation in times of need – a significant step backwards in clinical care for around 1.5 million people every year.
At the beginning of the incident, Kettering Health published a blackmail letter attributed to the Interlock group. In the letter, the attackers claim to have encrypted the network’s “most important files”. Initially, Kettering Health was not yet listed on the group’s leak page, which triggered speculation about possible ransom negotiations. It now seems clear that if there were negotiations, they did not lead to any results.
Progress in recovery
On Monday, Kettering Health released another update on the status of system recovery. It was announced that the electronic health record (EHR) system “Epic” could be put back into operation. Around 200 employees were involved in the repair work. Telephony and access to the patient portal “MyChart” are also to be gradually restored.
Background on the attacker group
Interlock is still a relatively young but increasingly active ransomware group that has already made several appearances with targeted attacks on critical infrastructures. Publishing data on the darknet is a common method of blackmail to increase the pressure on victim organizations.
The security situation in the healthcare sector remains tense – and not just in the USA. Experts have been warning for years about the particular vulnerability of medical networks to cyber attacks.
